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(57) In a wireless network, an architecture for wire- 
less attack resistance (AWARE) detects power-drain de- 
nial-of-service (DoS) attacks by generating statistical 
measures relating the power consumption by a mobile 
unit and data transmitted to and from the mobile unit dur- 
ing normal operations of the wireless network. The 
AWARE architecture compares those statistical meas- 
ures to current measures to detect a DoS attack if the 
current measure differs from the statistical measure by 
more than a specified threshold. If a DoS attack is de- 
tected, then the AWARE architecture can inhibit commu- 
nications with the mobile unit to prevent the mobile from 
consuming too much power. The statistical measure may 
be an energy efficiency ratio relating the number of bits 
of data transmitted to or from the mobile unit over a spec- 
ified time interval to the amount of power consumed by 
the mobile unit during that time interval. 
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Description 

BACKGROUND OF THE INVENTION 
Field of the Invention 

[0001] The present invention relates to communica- 
tions networks, and more specifically, to denial-of-serv- 
ice (DoS) attacks in wireless networks. 

Description of the Related Art 

[0002] Denial-of-service (DoS) attacks continue to 
present a significant challenge to network operators. Re- 
cently, the frequency and magnitude of attacks directed 
toward Internet resources have been steadily increasing. 
These attacks include the February 2000 attacks on pop- 
ular Web sites including www.yahoo.com, 
www.cnn.com, www.ebay.com, and the recent attacks 
on the core Internet domain name servers (DNSs). 
[0003] DoS attacks typically involve blasting a network 
node (e.g., a server) with a volume of traffic that exceeds 
the node's handling capacity. This volume of traffic in- 
variably disables the operation of the node for the dura- 
tion of the attack. A more sophisticated type of DoS attack 
is known as a distributed DoS (DDoS) attack. In DDoS, 
an attacker intending to launch a DDoS attack begins by 
subverting a number of nodes (e.g., via well-known se- 
curity loopholes), effectively making them slaves to the 
attacker. These compromised nodes are then used as 
launch points to inject traffic into the network. By sum- 
moning a reasonable number of compromised nodes, an 
attacker can potentially launch a large-scale, network- 
wide attack by coordinating the traffic from multiple 
launch points. 

[0004] There is no dearth of research related to DoS 
counter-measures. Indeed, a large variety of solutions 
have been proposed. The current state-of-the-art in de- 
fending against DoS attacks includes (1 ) stateful firewalls 
(e.g., the PIX router from Cisco Systems of San Jose, 
CA; Netscreen from Juniper Networks of Sunnyvale, CA; 
Firewall-1 from Checkpoint Systems of Redwood City, 
CA), (2) router modifications to support "pushback" (i.e., 
attempting to install filters from the target of the attack 
backwards to the source), (3) "traceback" (i.e., attempt- 
ing to detect the source of the attack), and (4) intrusion- 
detection mechanisms that look for anomalies or signa- 
tures in arriving traffic. More information on pushback, 
traceback, and intrusion detection can be found in loan- 
nidis J. and Bellovin S., "Implementing pushback: Rout- 
er-based defense against DDoS attacks," Proceedings 
of Network and Distributed Systems Security Symposi- 
um, February 2002; Snoeren A., "Hash-based IP Trace- 
back," Proceedings of ACM SIGCOMM, 2001; and 
"Snort: Open-source Network Intrusion Detection Sys- 
tem", http://www.snort.org, each incorporated herein by 
reference in its entirety. 

[0005] Some of these approaches require significant 



changes to existing network elements and thus may be 
costly to deploy, while others require collaboration across 
Internet service providers (ISPs) and thus may be im- 
practical. Nonetheless, these schemes do reduce the 

5 threat of wire-line DoS attacks. For example, a common 
feature of firewalls that prevents connections from being 
initiated from outside an enterprise LAN, is fairly success- 
ful in mitigating the effects of many DoS flooding attacks. 
[0006] While many solutions exist for wired networks, 

10 few solutions exist for wireless networks. The increasing 
proliferation of wireless devices such as PDAs and mo- 
bile phones, along with enabling technologies such as 
Bluetooth, wireless fidelity (WiFi), universal mobile tele- 
communications system (UMTS), and third-generation 

is wireless (3G), present new opportunities for DoS attacks. 
This is because wireless networks include several vul- 
nerabilities that do not exist in wired .networks. These 
vulnerabilities include limited tolerance for traffic due to 
constrained wireless link bandwidths, a greater process- 

20 jng overhead associated with wireless links due to their 
relatively complex nature, and limited power associated 
with wireless client devices. 

[0007] Traffic; The scarcity of resources combined with 
the low capacity of wireless links make a wireless network 
25 an easy target for a DoS attack. It takes significantly less 
traffic to overload a wireless link than it does to overload 
a wired link. 

[0008] Processing overhead: A typical 3G or UMTS 
network has several infrastructure elements that perform 

30 a host of functions such as power control, resource allo- 
cation, paging, etc. The radio network controller (RNC) 
and the base stations are involved in these activities for 
each mobile, and, in fast-handoff systems, the overhead 
on these devices is tremendous. Such devices in wireless 

35 networks are typically engineered to handle a limited load 
associated with a given number of simultaneously active 
users. Overload, therefore, is a significant concern for 
the wireless infrastructure. 

[0009] Limited power supply: Mobile clients in wireless 

40 network are usually powered by batteries whose limited 
lifetimes make them targets for a class of attacks that 
simply drain the power by making the mobile perform 
redundant, power-consuming activities. Power drain can 
quickly render a mobile device inoperable. 

45 [0010] An attacker launching a wireless-specific DoS 
attack can easily exploit these vulnerabilities. There are 
two key aspects that can enhance and facilitate such 
wireless attacks when compared to wireline DoS. 
[0011] Volume of the attack: In a wireline attack, an 

50 attacker has to flood large volumes of data onto a network 
in order to be successful in overwhelming one or more 
servers. Since this increases the probability of detection 
of the source of the attack, it renders wireline DoS attacks 
less effective. A wireless link is easier to overload with 

55 substantially less traffic. This provides a dual advantage 
to the attacker (1 ) ease of launching the attack from the 
attacker's perspective and (2) difficulty in detecting the 
source of the attack due to the relatively low volume of 
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traffic. 

[0012] Target of the Attack: In a wired network, the 
server is typically the target of a DoS attack. Thus, coun- 
termeasures have been able to focus on making the serv- 
er more robust. However, in a wireless network, the in- 
tended target of an attack can be one of a number of 
different elements within the network, including servers, 
clients, and infrastructure. In a wireless DoS attack, the 
attacker has increased flexibility, since both infrastruc- 
ture and mobiles can be easily attacked. The same attack 
can target multiple mobiles, either by attacking each mo- 
bile individually or by targeting the wireless infrastructure 
for a more widespread effect Furthermore, advanced 
wireless architectures such as Evolution Data Only (EV- 
DO) networks, with always-on mobiles, have increased 
susceptibility to power-drain attacks. 
[0013] In a DoS attack on a wired network, rt takes a 
certain amount of time for a server to be disabled, since 
servers typically have significant bandwidth and process- 
ing capacity. However, in a wireless network, mobiles 
typically have very limited bandwidth and processing ca- 
pacity, as well as limited battery lifetimes. Thus, an attack 
that has reached a mobile, has already succeeded in 
wasting critical resources on the wireless link, the wire- 
less infrastructure, as well as the battery resource at the 
mobile. 

[0014] Accordingly, there exists a need for DoS and 
DDoS attack counter-measures that are specific to the 
wireless environment and address its characteristic vul- 
nerabilities. 

SUMMARY OF THE INVENTION 

[0015] Problems in the prior art are addressed, in ac- 
cordance with principles of the present invention, by a 
method and apparatus for protecting against denial-of- 
service (DoS) attacks that are directed toward draining 
power from mobiles in a wireless environment 
[0016] In one embodiment, the invention is an Archi- 
tecture for Wireless Attack REsistance (AWARE) that is 
added to a wireless network to detect and protect against 
the wireless DoS (W-DoS) attack. The AWARE architec- 
ture includes a profiler, a detector, and a protector. The 
profiler determines the norms for power consumption as 
a function of traffic for mobiles within the network. The 
detector compares these norms with actual values of 
power consumption vs. traffic experienced by various 
mobiles within the network. If the actual values exceed 
one or more specified thresholds, then the detector con- 
siders the wireless network to be under attack and the 
AWARE protector uses existing functions (e.g., blacklist- 
ing) that exist within the wireless network, to counter the 
attack. The AWARE architecture can be collocated with 
the firewall or distributed among one or more elements 
of the wireless infrastructure and mobiles themselves. 
[0017] The AWARE profiler may be implemented as a 
learning database that captures information about each 
user in a pre-processing step that enables it to learn about 



the normal traffic profile for each user. This database is 
also correlated with other user databases for cross-mo- 
bile correlation. The information in these databases is 
fed to the detector, which maintains thresholds for each 

5 user and determines if traffic for a user or set of users 
violates the corresponding threshold. 
[0018] In one embodiment, the present invention is a 
method and architecture for detecting a denial-of-service 
attack in a wireless network. A statistical measure is gen- 

10 erated characterizing a relationship between power con- 
sumption by a mobile unit of the wireless network and 
data transmitted to and from the mobile unit during normal 
operations of the wireless network. The statistical meas- 
ure is compared to a current measure of the relationship. 

is The DoS attack is detected if the current measure differs 
from the statistical measure by more than a specified 
threshold. 

[0019] In another embodiment, the present invention 
is a wireless network comprising (1) an access node 

20 adapted to provide access between the wireless network 
and an internet, (2) one or more radio network controllers 
(RNCs) adapted to communicate with the access node, 
(3) one or more base stations for each RNC and adapted 
to communicate with the RNC and with one or more mo- 

25 bile units, and an architecture adapted to perform the 
method of the previous paragraph. 

BRIEF DESCRIPTION OF THE DRAWINGS 

30 [0020] Other aspects, features, and advantages of the 
present invention will become more fully apparent from 
the following detailed description, the appended claims, 
and the accompanying drawings in which: 

35 FIG. 1 illustrates an exemplary wireless network of 
the prior art. 

FIG. 2 illustrates an exemplary wireless network ac- 
cording to one embodiment of the present invention. 
FIG. 3 illustrates the top-level functional flow for a 
*o portion of the processing performed by the Architec- 
ture for Wireless Attack REsistance (AWARE) of 
FIG. 2. 

DETAILED DESCRIPTION 

45 

[0021] Reference herein to "one embodiment" or "an 
embodiment" means that a particular feature, structure, 
or characteristic described in connection with the embod- 
iment can be included in at least one implementation of 
so the invention. The appearances of the phrase "in one 
embodiment" in various places in the specification are 
not necessarily all referring to the same embodiment, nor 
are separate or alternative embodiments necessarily mu- 
tually exclusive of other embodiments. 

55 

Introduction 

[0022] FIG. 1 illustrates exemplary wireless network 
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1 00 of the prior art Wireless network 1 00 includes mobile 
(e.g., laptop or cell phone) 1 02, cell tower 1 04, base sta- 
tion (BS) 106, radio network controller 108, and Packet 
Data Serving Node (PDSN) 110. 
[0023] During normal operation, mobile 102 commu- 
nicates with PDSN 1 10 via cell tower 104, BS 106, and 
RNC 1 08 to authenticate and register itself with the net- 
work. PDSN 1 1 0 is fundamentally a router that functions 
as the gateway for data flow to and from all mobiles in 
the wireless network. The PDSN provides access to the 
Internet, intranets, and applications servers for the mo- 
bile. Acting as an access gateway, the PDSN provides 
simple Internet protocol (IP) and mobile IP access, for- 
eign agent support, and packet transport for virtual pri- 
vate networking. The PDSN further acts as a client for 
authentication, authorization, and accounting (AAA) 
servers and provides mobiles with a gateway to the IP 
network. The PDSN allows a mobile to move and still 
have packets forwarded to it 

[0024] The term "Packet Data Serving Node" and its 
acronym "PDSN" refer to access nodes in networks con- 
forming to a CDMA (Code-Division Multiple- Access) 
standard. In UMTS networks, the PDSN analog is re- 
ferred to as a Gateway GPRS Support Node or GGSN, 
where GPRS stands for General Packet Radio Service. 
As used in the claims, the term "access node" wilt be 
understood to cover both CDMA PDSN nodes as well as 
UMTS GGSN nodes. 

[0025] When a mobile successfully authenticates and 
registers with the network, a point-to-point (PPP) link is 
set up between a PDSN and the mobile. Though not ex- 
plicitly shown in FIG. 1 , the architecture is hierarchical 
with multiple mobiles 102 being served by each tower 
104, one or more towers being served by each base sta- 
tion 106, multiple BSs being served by each RNC 108, 
and finally, multiple RNCs communicating with each PD- 
SN 110. 

[0026] Batteries are typically used to power the mo- 
biles within the network, although there are some other 
alternatives (e.g., solar power). In any case, mobiles are 
typically characterized by limited power capacity. In a 
typical mobile, the battery is expected to give a certain 
battery life under a normal set of usage conditions. Under 
these normal conditions, the mobile is actively used for 
a small fraction of time and it is idle the rest of the time. 
When the mobile is idle, power-management software 
places the mobile into a low-power standby and/or sleep 
mode, thereby extending its battery life. Efficient power 
management is crucial to the success of mobile operation 
because the capacity of batteries has improved very 
slowly (doubling only every 35 years) relative to mobile 
computing capacity and power consumption, which have 
increased relatively rapidly. It has been demonstrated 
that an efficient power-management algorithm can in- 
crease battery lifetime by several times. 



Wireless DoS power-drain attacks 

[0027] Because of the limited power capacity of mo- 
biles, a category of W-DoS attacks includes those attacks 
5 where the goal of the attack is to trigger mobiles to drain 
their batteries faster than normal. One way this is 
achieved is by making the wireless infrastructure ele- 
ments (specifically, the BS and RNC) to communicate 
more frequently with the mobile than is necessary for 
basic maintenance operations such as ranging and reg- 
istration. If an attacker can prevent a mobile from entering 
its normal low-power standby state by keeping it active, 
the mobile's battery life can be drastically shortened. To 
do this, an attacker can employ a number of different 
strategies, including "code injection" and "low-volume 
data triggering." 

Code injection attack 

[0028] Code injection involves injecting programs into 
mobiles that keep them busy. The programs can be either 
(1) legitimate, though energy-hungry, mobile applica- 
tions or (2) viruses whose only task is to consume lots 
of energy. Although the damage due to these kinds of 
attacks can be severe, the defense is relatively straight- 
forward. A virus-scan program can be used to detect and 
remove vims-based programs. In addition, a user can 
carefully inspect programs that are installed on his/her 
mobile and minimize the use of energy-hungry applica- 
tions or customize their energy use profiles. For example, 
in a mobile that includes a digital camera, turning off an 
"always-on" or "high-brightness" display feature of the 
camera can substantially increase the battery lifetime. 

Low-volume data trigger attack 

[0029] A low-volume data trigger (LVDT) attack oper- 
ates on the principle that the longer a mobile is kept ac- 
tive, the faster the battery will drain. This type of attack 
is extremely hard to defend against. A typical mobile al- 
ternates between active and idle states when connected 
to a wireless network. A mobile enters active state when 
the mobile needs to transmit or receive packets. Power- 
management schemes ensure that mobiles transition to 
idle states if no data is sent or received during a specified 
timeout period. An LVDT attack can involve breaking the 
power-management scheme by periodically sending low 
volumes of data to the mobile. By properly timing the 
packet arrivals, the attacker can keep the mobile in active 
mode continuously, creating an inordinately high power 
drain with a relatively small amount of traffic. An LVDT 
attack can cause severe damage, while being easy to 
launch and hard to detect due to the low-volume nature 
of the attack. 

55 [0030] It is the LVDT attack strategy that is a focus of 
the present invention. The low-volume data trigger at- 
tack, also referred to herein as a battery attack, can be 
best understood in the context of the different states of 
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a mobile and the power consumed in each state. 

• Power Off: In this state, the mobile does not consume 
any power. 

• Dormant: In this state, the mobile is powered on but 5 
is not connected to the wireless network. Since the 
mobile does not communicate with the wireless net- 
work (except for low-frequency paging), the mobile 
conserves power in this state. 

• Idle: This is the state that a mobile enters after con- 
necting and authenticating itself to the wireless net- 
work. In this state, the mobile is ready to transmit 
and receive data but is not currently doing so. Peri- 
odically (e.g., every 20 ms in a typical 3G implemen- 
tation), the mobile transmits power-control frames to 
the base station in order to provide information to 
the base station on the quality of the wireless link. A 
mobile consumes power in the idle state due to the 
transmission of power-control frames. A mobile en- 
ters the dormant state if there is a period (e.g., 20 
seconds) of inactivity on the wireless link when no 
data is transmitted or received. 

• Tx/Rx: In this state, the mobile is actively transmitting 
or receiving data. The most power is consumed in 
this state due to the continuous transmission and/or 
reception. 

[0031 ] In general, the greater the activity at the network 
interface of the mobile, the more powerthat is consumed. 
A mobile will consume almost as much power in the idle 
state as it does in the Tx/Rx state due to the frequent use 
of the network interface for transmitting power-control 
frames while in the idle state. Further, other than when 
it is powered off, a mobile consumes the least amount of 
power in the dormant state due to the inactivity of the 
interface. This agrees with experimental results with a 
typical PDA, which show, for example, power consump- 
tion of 30 mA in the dormant state, 270 mA in the idle 
state, and 300 mA in the Tx/Rx state. 
[0032] This suggests that an attacker can cause the 
maximum amount of damage by sending an amount of 
traffic just sufficient to keep the mobile in an active state 
(e.g., either the idle or Tx/Rx state). For example, exper- 
iments showthata simple "ping" attack to a mobile, where 
the ping is repeated just once every 20 seconds, can 
cause an increase in power consumption by the mobile 
of nearly ten times the power consumption of the mobile 
under normal operating conditions. 

Battery attack characteristics 

[0033] The key characteristics of the battery attack are: 

• Ease of launching the attack: I n order to keep a mo- 
bile active, all that is required by the attacker is to 
send one small packet to the mobile before the idle 
timer timeout. If a mobile is idle (i.e., not transmitting 
or receiving data) for a time period x, where x is the 



specified idle timer timeout interval, then the mobile 
will transit to the dormant state. 

• Difficulty in detection: The low-volume nature of the 
attack allows the attacker to bypass many threshold- 
based intrusion-detection mechanisms and firewalls 
that filter out high-volume attack traffic such as is 
commonly seen in wired-network DoS attacks. 

• Widespread impact. A single attacker can keep 
many mobiles in an active state in a wireless network. 
In contrast, a conventional DDoS attack in a wired 
network would require an attacker to compromise 
thousands of hosts in order to be successful, espe- 
cially since popular sites such as www.cnn.com and 
www.yahoo.com servers have such large bandwidth 
and processing capabilities. 

[0034] Unlike conventional DoS attacks used in wired 
networks, in a wireless network, it is important to attempt 
to stop a battery attack before it reaches a mobile. This 
is because, by the time that the mobile recognized that 
it is under attack, a significant amount of power may al- 
ready have been wasted. Therefore, it is highly desirable 
to have a solution that resides in the wireless infrastruc- 
ture and prevents such packets from reaching the mobile. 

Architecture for Wireless Attack REsistance (AWARE) 

[0035] FIG. 2 illustrates exemplary wireless network 
200 according to one embodiment of the present inven- 
tion. Wireless network 200 includes elements corre- 
sponding to those in exemplary wireless network 100 of 
FIG. 1 , namely, mobile 202, cell tower 204, base station 
(BS) 206, radio network controller (RNC) 208, and packet 
data serving node (PDSN) 210. Each of these elements 
of network 200 functions similarly to its corresponding 
element in network 100. 

[0036] Wireless network 200 also includes the Archi- 
tecture for Wireless Attack REsistance (AWARE) 212. 
Although the AWARE architecture is illustrated as being 
implemented co-located with a firewall between the PD- 
SN and the Internet in Fig. 2, it should be noted that al- 
ternative implementations of the AWARE architecture 
are possible. As would be understood by one skilled in 
the art, given the following discussion, the AWARE ar- 
chitecture can be implemented as a stand-alone piece 
of hardware or as a software function co-located with one, 
or more of the other elements of the wireless network. 
The operation of AWARE architecture 212 is described 
in more detail below. 

[0037] FIG. 3 illustrates the top-level functional flow 
300 for a portion of the processing performed by AWARE 
architecture 212 of FIG. 2. The processing includes the 
steps of profiling 302, detection 304, and protection 306. 
In profiling step 302, the normal traffic characteristics of 
the network and mobiles as well as estimates of the pow- 
er consumption of the mobiles are used to determine a 
set of normal energy efficiency ratios (EERs), where an 
EER is defined to be ratio of the amount of data trans- 
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mitted or received by a mobile in a given interval to the 
amount of power spent by that mobile during that same 
interval. In detection step 304, actual EERs for mobiles 
in the network are determined. These are compared with 
the EERs for mobiles in the network under normal oper- 
ating conditions (e.g., no attack). If the ratios deviate from 
the norm sufficiently, then it is assumed that an attack is 
underway, and in step 306, steps (e.g., dynamic filtering) 
are taken to protect the network. EERs can be estimated 
during profiling and detection for a wide diversity of com- 
munication scenarios allowing an EER-based threshold 
to be selected that is most relevant to the communica- 
tions under analysis. As an example, a EER statistic de- 
veloped for a single-user streaming audio of a given bi- 
trate can be used to develop a threshold appropriate to 
that specific scenario or a set of scenarios of streaming 
audio over a given range of b'rtrates. 

Energy efficiency ratio 

[0038] The EER can be calculated in a number of dif- 
ferent ways. For example, in a computer-implemented 
embodiment, the following calculation can be performed 
by a processor within the AWARE architecture to deter- 
mine EER: 

£ER = -f — (1) 

where D s is the data size in bits of each packet / that is 
sent or received during a time interval T and P f is the 
power consumed by the transmission or reception of the 
Ah packet 

[0039] In some embodiments, assumptions can be 
made to minimize the detail required to calculate an EER. 
For example, rather than keep track of the exact size of 
each packet, simply tracking the number of packets can 
be sufficient for some applications. Also, rather than cal- 
culating a summation of the power consumed for each 
packet transfer to use in the denominator of Equation (1 ), 
the total power consumed during the interval can instead 
be reported and captured, or a sampling of the rate of 
power consumption, etc. Other approaches are possible. 
The basic idea is to achieve an estimate of the EER under 
"normal" circumstances. 

[0040] The set of EER values corresponds to a set of 
normal EER statistics parameterized for different circum- 
stances and conditions. Additional information that may 
be used in building a profile for each user includes packet 
arrival times, IP addresses and port numbers of the 
sources and destinations, as well as the application-layer 
characteristics such as type of traffic (HTTP, RTP). 
[0041] In various embodiments, the profiler aggre- 



gates statistics per- user, per-application, as well as per- 
server. A per-user statistic can be further categorized, 
for example, into per-application statistics. For instance, 
web surfing is a frequently used service. Similarly, a vid- 
5 eo-on-demand server may use RTP packets to broadcast 
video to users. Statistics on a per-web server basis can 
also be compiled by logging the arrival of HTTP/RTP 
packets. 

[0042] To enable scalability, the profiles can be aggre- 
10 gated across users with similar behaviors. Traffic can 
then be compared to the aggregate profile to detect in- 
consistencies. Aggregate profiles can analogously be 
maintained for popular servers and also for popular ap- 
plications. 

is [0043] The flexibility of using different classification ap- 
proaches allows a more comprehensive and accurate 
characterization of what is considered as normal traffic. 
This profile is used to determine what is ■abnormal" traf- 
fic, through the use, in one embodiment, of the EER 

20 mechanisms, while also minimizing the probability of 
false positives (incorrect classification of valid traffic as 
malicious traffic). 

[0044] To detect the presence of a malicious attack, 
e.g., from malicious server 21 4 of FIG. 2, an appropriate 

25 heuristic for detection is used, such as, the power con- 
sumption for a specified amount of transmitted data is 
significantly higherthan it is under normal circumstances. 
Note that, although FIG. 2 represents a DoS attack that 
is initiated via the Internet, DoS attacks can also be ini- 

30 tiated within the wireless infrastructure, including at mo- 
bile endpoints. If all mobile-initiated traffic is routed to the 
firewall (with which the AWARE architecture is co-locat- 
ed), then a malicious mobile can be treated identical to 
a malicious server on the Internet 

35 [0045] It is relatively straightforward to determine the 
amount of traffic without involving the mobile devices. 
Almost any device in the wireless infrastructure that is 
on the path to the mobile device can calculate the amount 
traffic coming in and going out of mobiles given sufficient 

*o information about the mobiles. The power consumed for 
the traffic, however, is not as readily available without 
the mobile's assistance. The mobiles can be modified to 
communicate information about their power consump- 
tion. Alternately, the power consumption can be estimat- 
es ed based on the packet arrival pattern. 

[0046] The most difficult part in calculating the EER is 
measuring the power consumption at the mobile. If the 
exact power consumption is needed, then the mobile has 
to be modified to report this information to an intermedi- 

so any. However, this may be difficult in practice since the 
modification of mobiles involves coordination of multiple 
parties to standardize the interface, etc. Even if the mo- 
biles can be modified, another challenge remains as to 
how to separate the power consumed due to data trans- 

55 mission versus the power consumed due to other activ- 
ities (e.g., listening to MP3s) at the mobile. 
[0047] The problem isfirstaddressedby observingthat 
the power-consumption measurements need not be 
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highly accurate. The important point is to be able to verify 
that power consumption is anomalously higher than nor- 
mal. Therefore, power consumption can be estimated 
based on the traffic to and from the mobiles. In a CDMA 
network, for example, the RNC controls the transmission 
power of mobiles. As a result, a reasonably accurate en- 
ergy consumption estimate can be obtained from the 
RNC, given knowledge of the packets arriving at and de- 
parting from the mobiles. 

[0048] There are different possible locations for the 
AWARE architecture, each of which enables the detec- 
tion of the battery attacks. It may appear useful for the 
AWARE architecture to be co-located with the BS and/or 
the RNC, since this would allow access to power-control 
information transmitted to the mobile from the BS with 
power recommendations for the mobile. However, since 
a mobile might not transmit at the recommended values, 
this source of power-consumption data does not neces- 
sarily provide exact values of EER. However, the EER 
ratio represents the energy consumed vs. the corre- 
sponding transmitted data, and need not be accurate. 
The goal here is not to derive an exact value of EER. 
Rather, the objective is to look at relative values of EER 
in order to detect an anomalous trend. Specifically, if the 
current behaviorforauser does notconcurwrth the user's 
average profile, then there is a high probability that an 
EER violation has occurred. 

[0049] EER estimation by assigning randomly gener- 
ated power-consumption weights for different operations 
will lead to the same flows being detected as compared 
to one that uses the real power recommendations of the 
mobiles. Thus, there is no accuracy gain in co-locating 
the AWARE architecture at any particular location as 
compared to any of the other possible locations in the 
wireless infrastructure. Since the reaction time to attacks 
is as important as the detection mechanism, it may be 
preferable to co-locate the AWARE architecture with the 
firewall in order to achieve the fastest reaction time. , 

Interface with firewaW gateway 

[0050] In one possible embodiment, the AWARE ar- 
chitecture is co-located with the firewall of a wireless serv- 
ice provider. In this model, there are no assumptions as 
to any of the wireless infrastructure being aware and in- 
teracting with the AWARE architecture. The AWARE ar- 
chitecture uses IP-layer information such as packet ar- 
rivals and information from the IP/TCP and application- 
layer headers to build profiles. This assumes that the 
AWARE architecture can look inside a packet. If IPsec 
in tunnel mode has been enabled, then the AWARE ar- 
chitecture can be co-located with the IPsec gateway in 
the domain, so as to be able to decrypt and inspect packet 
headers and payloads. 

[0051] In a relatively non-invasive architecture, the 
AWARE architecture looks at IP packets that are passed 
on to it from the firewall before they reach the PDSN. All 
the information is contained in the application, TPC and 



IP headers and the payload itself. Relevant information 
that is used to build the profile can be extracted from the 
above headers and payload. 

[0052] The AWARE architecture should be able to 

5 communicate with existing firewalls or IPsec gateways. 
Ideally, the AWARE architecture could be co-located at 
these entities so as to immediately install a filter, for ex- 
ample, in order to block suspected traffic. If the AWARE 
architecture is not co-located with the IPsec gateway, a 

10 security association is established with the gateway so 
as to be able to decrypt and process ESP-encapsulated 
packets in tunnel mode. Even if the AWARE architecture 
is not co-located with the firewall, there typically is an 
interface with most commercial firewalls, such as Check- 

15 point's Firewall -1 , that allows the configuration of filters. 
[0053] The AWARE architecture can be deployed us- 
ing commercial and open-source off-the-shelf equip- 
ment. For correlation, an interface to the wireless infra- 
structure is defined for querying wireless user state. The 

20 interface allows the AWARE architecture to communi- 
cate in a secure manner with the wireless infrastructure 
in order to obtain user-specific information. 
[0054] For detection, an open-source IDS mechanism 
called Snort can be used to emulate the functionality of 

25 the AWARE architecture. Specifically, Snort correlates 
the information that is obtained from the wireless infra- 
structure. This state can also be estimated using algo- 
rithms outlined earlier. Snort can analyze network traffic 
for matches against a user-defined rule set and perform 

30 several actions based upon what it sees. For example, 
Snort can install a rule in the firewall to block all packets 
with headers that contain a particular source address. 
Snort is modular and allows new plug-ins to be installed 
allowing the detection mechanism to be customized and 

35 enhanced for defense against current and future attacks. 
Plug-in is a generic term that refers to modules that can 
be added dynamically to alter the behavior of Snort. For 
example, detection plug-ins can be introduced to improve 
the detection functionality. The detection heuristic de- 

4o scribed previously can be incorporated as a new detec- 
tion plug-in in Snort 

[0055] For reaction, an interfacing plug-in called Snort- 
sam can be used to interface with the firewall and react 
to detected DoS attacks. Snortsam is actually a software- 
's based agent that runs on the firewall itself, while com- 
municating securely with Snort. This entity uses the 
OPSEC standard to communicate with popular firewalls 
such as Checkpoint's Firewall-1, CISCO PIX. Snort can 
be initially used to install filters on the firewall to block 
so malicious traffic. Subsequently, Snort can be interfaced 
with the wireless packet scheduler in order to reduce the 
priority of malicious traffic. 

[0056] While this invention has been described with 
reference to illustrative embodiments, this description 
55 should not be construed in a limiting sense. Various mod- 
ifications of the described embodiments, as well as other 
embodiments of the invention, which are apparentto per- 
sons skilled in the art to which the invention pertains are 



7 



13 



EP 1 708 538 A1 



14 



deemed to tie within the principle and scope of the inven- 
tion as expressed in the claims. 
[0057] Although the steps in the following method 
claims are recited in a particular sequence with corre- 
sponding labeling, unless the claim recitations otherwise 
imply a particular sequence for implementing some or all 
of those steps, those steps are not necessarily intended 
to be limited to being implemented in that particular se- 
quence. 



Claims 

1 . A method for detecting a denial-of-service (DoS) at- 
tack in a wireless network, comprising: 
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15 



7. 



the wireless network comprises an access node 
that provides access between the mobile unit 
and an internet; and 

the architecture is implemented between the ac- 
cess node and the internet 

The invention of claim 1 f wherein steps (a) and (b) 
are implemented for each mobile user in the wireless 
network. 

The invention of claim 1 , wherein the power con- 
sumption by the mobile unit is estimated by an ar- 
chitecture for wireless attack resistance of the wire- 
less network based on packet arrival pattern for the 
mobile unit. 



(a) generating a statistical measure character- 
izing a relationship between powerco resumption 
by a mobile unit of the wireless network and data 
transmitted to and from the mobile unit during 
normal operations of the wireless network; 

(b) comparing the statistical measure to a cur- 
rent measure of the relationship; and 

(c) detecting the DoS attack if the current meas- 
ure differs from the statistical measure by more 
than a specified threshold. 

2. The invention of claim 1, wherein the statistical 
measure is based on a ratio of the amount of data 
transmitted to or from the mobile unit within a spec- 
ified time interval to the amount of power consumed 
by the mobile unit during the specified time interval. 

3. The invention of claim 2, wherein the ratio is an en- 
ergy efficiency ratio EER given by: 



4. 



EER = 



— M> 



/=0 



where D, is data size in bits of each packet / that is 
sent or received during the time interval T and P,is 
the amount of power consumed by the mobile unit 
during the transmission or reception of the ith packet. 

The invention of claim 1 , further comprising the step 
of inhibiting at least certain communications with the 
mobile unit if the DoS attack is detected. 



5. The invention of claim 1 , wherein: 

the method is implemented by an architecture 
for wireless attack resistance within the wireless 
network; 
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25 



30 



8. The invention of claim 1 , wherein: 

the statistical measure is based on a ratio of the 

amount of data transmitted to or from the mobi le 

unit within a specified time interval to the amount 

of power consumed by the mobile unit during 

the specified time interval; 

the ratio is an energy efficiency ratio EER given 

by: 



40 



45 



55 



EER = 



where D t is data size in bits of each packet /that 
is sent or received during the time interval T and 
P t is the amount of power consumed by the mo- 
bile unit during the transmission or reception of 
the ith packet; 

the wireless network comprises an access node 
that provides access between the mobile unit 
and an internet; 

the DoS attack is initiated via the internet or from 
a mobile within the wireless network; 
further comprising the step of inhibiting at least 
certain communications with the mobile unit if 
the DoS attack is detected, wherein selection of 
the certain communications is based on source 
of packets associated with the certain commu- 
nications; 

the method is implemented by an architecture 
for wireless attack resistance within the wireless 
network; 

the architecture is implemented between the ac- 
cess node and the internet; 
steps (a) and (b) are implemented for each mo- 
bile user in the wireless network; and 
the power consumption by the mobile unit is es- 
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timated by the architecture based on packet ar- 
rival pattern for the mobile unit 

9. An architecture for detecting a denial-of -service 
(DoS) attack in a wireless network, the architecture 5 
adapted to: 

(a) generate a statistical measure characterizing 
a relationship between power consumption by 

a mobile unit of the wireless network and data 10 
transmitted to and from the mobile unit during 
normal operations of the wireless network; 

(b) compare the statistical measure to a current 
measure of the relationship; and 

(c) detect the DoS attack if the current measure 15 
differs from the statistical measure by more than 

a specified threshold. 

10. A wireless network comprising: 

20 

an access node adapted to provide access be- 
tween the wireless network and an internet; 
one or more radio network controllers (RNCs) 
adapted to communicate with the access node; 
one or more base stations for each RNC and 25 
adapted to communicate with the RNC and with 
one or more mobile units; and 
an architecture adapted to: 

(a) generate a statistical measure charac- 30 
terizing a relationship between power con- 
sumption by a mobile unit of the wireless 
network and data transmitted to and from 
the mobile unit during normal operations of 
the wireless network; 35 

(b) compare the statistical measure to a cur- 
rent measure of the relationship; and 

(c) detect the DoS attack if the current 
measure differs from the statistical measure 

by more than a specified threshold. *o 
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Profile network by 
developing a set of 
normal EER profiles 



Detect attack by 
comparing normal 

EER profiles to 
current EER values 



Protect mobiles if it 
is determined that 
network is under 
attack 



FIG. 3 
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